Yurii Parfinenko
289af19ce9
Use redis cache in get_approx_account_lockouts_from_login_attempts ( #250 )
...
Test / build (3.10, 5) (push) Has been cancelled
Test / build (3.10, 6) (push) Has been cancelled
Test / build (3.10, 7) (push) Has been cancelled
Test / build (3.11, 5) (push) Has been cancelled
Test / build (3.11, 6) (push) Has been cancelled
Test / build (3.11, 7) (push) Has been cancelled
Test / build (3.12, 5) (push) Has been cancelled
Test / build (3.12, 6) (push) Has been cancelled
Test / build (3.12, 7) (push) Has been cancelled
Test / build (3.13, 5) (push) Has been cancelled
Test / build (3.13, 6) (push) Has been cancelled
Test / build (3.13, 7) (push) Has been cancelled
Test / build (3.9, 5) (push) Has been cancelled
Test / build (3.9, 6) (push) Has been cancelled
Test / build (3.9, 7) (push) Has been cancelled
* Use redis cache in `get_approx_account_lockouts_from_login_attempts`
* use django_redis in ci
* Add `django_redis` and `redis` to requirements.txt
* Fix an issue detected by tests: clear redis cache upon block reset
* Remove the unnecessary `if`
2026-01-29 12:53:21 -05:00
Attila
37e5dd3123
Fixed circumventing blocking by appending whitespace to username ( #248 )
2025-07-01 11:23:24 -04:00
Roman Gorbil
1e0aa91952
Fix watch_login with custom username ( #228 )
...
Previously using of custom `get_username` function with disabled IP
lockout caused unhandled exception
Exception("Invalid state requested")
2023-11-09 06:41:49 -06:00
Dashgin
a4b3f9f332
remove_prefix method working same for all python versions
2023-02-21 11:01:20 -05:00
Dashgin
428968b238
Bugfix strip_keys method (returns wrong response method when there is string containing in key_list)
2023-02-21 11:01:20 -05:00
djmore4
b9b067472c
Whoops, they worked I guess. Let's see if they still do or we need more changes. Also improve coverage
2022-11-13 11:09:53 -05:00
djmore4
7121db4b0f
another different approach
2022-11-13 11:09:53 -05:00
djmore4
bbe7687abd
Added changes and fixed small bug
2022-11-13 11:09:53 -05:00
djmore4
177f2ecce8
Add new config options and update logic/tests to account for them
2022-11-13 11:09:53 -05:00
Jona Andersen
44ecbee250
Strip port number from IP address in X-Forwarded-For
2022-05-01 14:22:28 -04:00
Ryan Bales
e5edaf3b5d
bugfix for IP backdoor to DEFENDER_LOCK_OUT_BY_IP_AND_USERNAME
2021-08-01 15:19:34 -04:00
Aleksi Häkli
a1d526f318
PEP8 formatting ( #147 )
...
Run black with Python 2.7 as target version
to unify the code styling and make it more
linter and style guide compliant
2019-11-15 20:22:14 +02:00
horida
ce95906488
send user/ip blocked signal only once
2019-09-16 08:47:35 -04:00
horida
fcfa88d679
Add unblock signals
2019-09-08 10:05:04 -04:00
Andrei Baryshnikov
3031deb761
Add possibility to use custom utils.get_username_from_request function ( #122 )
...
* Add `DEFENDER_GET_USERNAME_FROM_REQUEST_PATH` setting
This setting allow to override default `get_username_from_request`
function.
* Add `get_username` argument to `watch_login`
To be able to propagate this argument to other utils functions calls
* Minor code-style fixes
* Add example of use of `DEFENDER_GET_USERNAME_FROM_REQUEST_PATH` setting
* Update docs
2018-05-29 10:32:08 -04:00
William Boman
250c4d5388
add 2 new setting variables for more granular failure limit control ( #113 )
2018-04-10 09:22:51 -04:00
William Boman
b546224372
send signals when blocking username or ip ( #114 )
2018-04-10 09:21:37 -04:00
Cobus Carstens
5aa69bac96
Only use the username if it is actually provided ( #112 )
...
* Only use the username if it is actually provided
* Test that unspecified usernames cannot be blocked
* Added test to prevent Coveralls from complaining about a coverage regression.
2018-02-01 06:30:26 -05:00
William Boman
2b6374f1da
utils: add username kwarg for providing username directly rather than via callback arg ( #107 )
2018-02-01 06:27:38 -05:00
Mattia Procopio
85817fd278
Force the username to lowercase ( #90 )
2017-07-01 09:24:51 -04:00
Ken Cochrane
4d9adc35c2
Cleanup the code to remove lint warnings ( #87 )
...
* Cleanup the code to remove lint warnings
Signed-off-by: Ken Cochrane <kencochrane@gmail.com>
* Fixed typo
Signed-off-by: Ken Cochrane <kencochrane@gmail.com>
2017-06-28 17:09:44 -04:00
Jakub Kuszneruk
cd0a22c1c5
[ #70 ] get username from request is more flexible
...
- Every function which loads username from request has the optional paramter: get_username
piggyback:
- removed redefinition of USERNAME_FORM_FIELD from defender.config
2017-03-10 20:04:45 +01:00
Karimov Dmitriy
d85752970b
Add DEFENDER_DISABLE_USERNAME_LOCKOUT
2016-06-20 09:20:47 +05:00
Alex White
9209f0579f
Fix DataError on login
...
A watched login failure causes a 500 saving a 256 character long username into the login attempts. Conditionally slice it to fit AccessAttempt
2016-05-11 14:07:50 -07:00
Vladimir Bolshakov
23a690395c
Use render shortcut instead of render_to_response.
2016-02-01 19:09:28 +03:00
bc Wong
f9047162d4
Add helpers that do not assume how to retrieve username
...
The `is_already_locked` method assumes how the username is stored in the
request. This patch adds helpers that don't to allow for more flexible
implementation.
2016-01-24 09:41:43 -08:00
Ken Cochrane
6b91730722
cleanup the boolean logic around is_already_locked()
2015-10-23 15:00:56 -04:00
Ken Cochrane
cc45409078
fixed pep8 issues
2015-10-21 16:44:12 -04:00
Ken Cochrane
64c5684c12
Added so that you can disable IP lockouts if you want
2015-10-21 16:33:08 -04:00
nephridium
a3207d582a
Add tests for utils get_blocked_ips() and get_blocked_usernames()
2015-06-29 18:33:33 +08:00
nephridium
67ebb8edff
Make key_list read from redis Python 3 compatible
...
Converts from bytes to string using .decode('utf-8')
2015-06-26 22:17:50 +08:00
Alex White
319027c1e6
Fix line length meet PEP8
2015-04-21 16:24:01 -07:00
Alex White
793720a189
Handle evaluating combined IP and username lockouts based on settings
2015-04-21 15:22:17 -07:00
Ken Cochrane
fb095e4ca9
cleaned up some landscape.io warnings
2015-03-20 11:09:45 -04:00
Ken Cochrane
47d6a71825
fixed issues #15 #35 and #36 , added way to clean up access attempt table, as well as an option to not login attempts. Also speed up django admin pages
2015-03-20 10:09:39 -04:00
Ken Cochrane
ea7a8cde06
bumped the django versions on travis, and added a fix to get_ip()
2015-02-25 10:03:05 -05:00
Ken Cochrane
fd4f58a20c
took marcus's advice and used the built in django validator
2015-02-24 22:02:06 -05:00
Ken Cochrane
2f6afbdb6e
added ipv6 addresses to the test, and updated the ipv6 regex to something that worked better
2015-02-24 21:52:10 -05:00
Ken Cochrane
9c50d8e833
added fixes for issue #32 , hopefully this closes the security hole that @mmetince found
2015-02-24 18:16:08 -05:00
Ken Cochrane
88c388ec42
add a fix so that we don't block an empty IP or username
2015-02-01 10:17:10 -05:00
Ken Cochrane
87945f97ee
fixing an issue @jlhawn found, we should only block if we are over the limit
2015-01-29 20:02:35 -05:00
Ken Cochrane
130f696a7e
added new context variable to lockout template
2015-01-29 08:10:19 -05:00
Ken Cochrane
db3eea99cc
initial commit, adding admin pages to manage blocked users
2015-01-27 18:06:56 -05:00
Marcus Martins
351148b239
refactor is_already_locked and add better test coverage
...
Simplify the is_already_locked code and make sure
that we're testing that code better.
2015-01-12 09:42:38 -08:00
Ken Cochrane
92c378bf68
Add Celery option for writing to database
2015-01-03 16:33:51 -05:00
Ken Cochrane
a7bc8c0d55
added landscape.io and some fixes it found
2015-01-03 11:09:30 -05:00
Joffrey F
48d45a0367
Use pipelines for atomic transactions
2015-01-02 16:09:24 -08:00
Joffrey F
08bb7d12fb
Fixed get_user_attempts() and unit tests
2015-01-02 13:26:43 -08:00
Joffrey F
70fa41ff0d
Ensure we don't break when cooloff time is 0 ('permanent' lock)
2015-01-02 12:12:57 -08:00
Ken Cochrane
a8e721dd3d
more refactoring and unit tests
2015-01-01 12:51:46 -05:00
